In a multi-account architecture, corporate network administrators can use the IPAM feature to plan and manage IP addresses, after which the administrators can use the resource sharing feature to share the created IPAM pools with business accounts. This achieves unified allocation and management of internal corporate addresses, simplifies network management, and helps companies focus on innovation.
Overview
Resource sharing
Resource sharing is a handy feature for a multi-account architecture where certain cloud resources are centrally managed by an account or resources experience a low utilization rate. With the resource sharing feature, you can share these resources with other Alibaba Cloud accounts in the following ways:
Share the resources from one Alibaba Cloud account with another.
Share the resources by using the resource directory if a company centrally manages corporate accounts in a resource directory.
Share resources of a member in the resource directory with an external account.
Share resources of a member in the resource directory with a resource directory, a resource folder, or other members.
IPAM pool sharing
The owner of an IPAM pool can share the pool with other Alibaba Cloud accounts, known as principals. Principals can allocate resources from the shared IPAM pool when creating a virtual private cloud (VPC).
IPAM pools can currently be shared with Alibaba Cloud accounts (primary accounts) in the same business organization, as well as any Alibaba Cloud accounts (primary accounts).
When an IPAM pool is shared:
To another Alibaba Cloud primary account: principals need to accept the invitation.
In the same resource directory: principals accept the invitation by default.
The resource owner can cancel the sharing, but the principal cannot exit the resource share proactively.
Scenarios
Resource sharing in the corporate network: Administrators can centrally plan IP addresses and share different address pools with business teams. This prevents address conflicts through efficient address allocation and management.
Resource sharing across accounts: Existing IPAM pools can be shared with other Alibaba Cloud accounts for unified address planning and management across accounts. This ensures independent IP addresses for network connection.
Limits
After an IPAM pool is shared with the principal, the resource owners and principals have the following permissions on the shared pool:
Feature | Resource owner | Principal |
Create VPCs and allocate resources from the IPAM pool | Supported | Supported |
Allocate secondary CIDR blocks to VPC from the IPAM pool | Supported | Supported |
Delete IPAM pool | Supported | Not supported |
Edit IPAM pool | Supported | Supported (Only name and description can be edited.) |
Query IPAM pool | Supported | Supported |
Query CIDR information of IPAM pool | Supported | Supported |
Pre-allocate CIDR for IPAM pool | Supported | Not supported |
Cancel pre-allocated CIDR | Supported | Not supported |
Create custom allocation | Supported | Supported |
Release custom allocation | Supported | Supported |
Query custom allocation | Supported | Supported |
Modify allocation rules | Supported | Not supported |
Enable/disable automatic import | Supported | Not supported |
Query resources of IPAM pool | Supported | Not supported |
Prerequisites
IPAM and IPAM pools are created. For more information, see Create and manage an IPAM and Create and manage an IPAM pool.
Procedure
Step 1: Resource owner shares IPAM pools in resource management
Log on to the account of the resource owner and navigate to the IPAM management console.
On the top navigation bar, select the region in which IPAM pool resides. In the left-side navigation pane, click IPAM Pool.
On the IPAM Pool page, use one of the following ways to configure.
Find the IPAM pool that you intend to configure and click instance ID.
Find the IPAM pool and click Manage in the Actions column.
Click the Sharing Management tab, then click Create Resource Share.
On the Create Resource Share page, complete the resource sharing configuration by following the steps.
Set Resources to IPAM Pool and select the IPAM pool you want to share.
The associated permission is AliyunRSDefaultPermissionIpamPool for the IPAM pool.
On the Add Principals page, enter the Principal ID.
Step 2: Principals allocate resources from the shared IPAM pool
Principals accept the sharing invitation
Log on to the account of the resource users and navigate to Resource management console.
In the left-side navigation pane, click Resource Sharing > Resources Shared To Me.
On the Shared By Me page, find the target resource share and click Accept in the Status column. In the Accept Resource Sharing Invitation dialog box, click OK.
When an IPAM pool is shared, you can view it under the My Pools tab on the IPAM Pool page with the resource owner account and under the Pools Shared With Me tab with the principal account.
Allocate resources from the shared IPAM pool and create VPC
Log on to the principal account and navigate to the VPC console.
On the VPC page, click Create VPC.
For the IPv4 CIDR Block, select IPv4 CIDR Block allocated by IPAM. In Select Pool, choose the shared IPAM pool.
After the principal creates a VPC, the resource owner can see an increase in the pool usage of the shared IPAM pool.
What to do next (optional)
Resource owner cancels IPAM pool sharing
References
For more information about the IPAM resource sharing quota, see Quota limits.
For more information about the scenarios, concepts, and limits of resource sharing, see Resource Sharing overview.